MR2 Owners Club Forum banner

21 - 29 of 29 Posts

·
Administrator
Joined
·
71 Posts
I think you are missing the real issue here. Yes it's a PITA to change our passwords but that's just what we have to do when your server gets hacked. All we can do is ask that you improve your security so that your server does not get hacked again.

My problem is your new requirement for very strong passwords that expire every year. Yes, that is one way of ensuring that we, as users, do not reuse passwords between different sites but it really does not address the problem of bad server security. If your servers get hacked again, the strength of our passwords is unimportant. We will have to change our passwords again because you can't assume passwords are good enough after a hack, you just have to change them. Our strong passwords will not prevent us from having to change passwords. Our strong passwords will not prevent your servers from getting hacked.

All strong passwords will achieve is that we will be inconvenienced by having to remember the new password. Strong passwords will also prevent us from reusing passwords. That's a nice goal but you are not my mother. I don't need you to tell me what passwords I can or cannot reuse. I have a simple method of creating and remembering simple passwords for all my low priority sites. Your new rules prevent me from using that method, and even if it did not, it will expire in a year. I have a different method of remembering all my high priority passwords and this site does not merit being included with all my high priority sites.

Essentially you have just demanded that I treat MR2OC as if it was as important as BankOfAmerica. It is just not that important and your new rules are an annoyance I do not want.

The new rules are just a show intended to distract us from the real issue of whether your server security is strong or not.
I see your point but I think it is being blown out of proportion.

This whole issue has nothing to do with our server security. A third party plugin got hacked and got limited access to some info for our sites and thousands of others. We got stuck cleaning up the mess and have legal and authorities on it.

The time you have posting all this is more than the time you will spend for the next few years updating a password with a few extra characters once a year.

Using (Passw0rd1234#!) versus using (Password1234) should not be that big of a deal, use Google Chrome password manager and you will be fine, I have 700+ passwords in it.

https://support.google.com/chrome/answer/95606?hl=en

Jeff M
 

·
Registered
Joined
·
769 Posts
I see your point but I think it is being blown out of proportion.

This whole issue has nothing to do with our server security. A third party plugin got hacked and got limited access to some info for our sites and thousands of others. We got stuck cleaning up the mess and have legal and authorities on it.

The time you have posting all this is more than the time you will spend for the next few years updating a password with a few extra characters once a year.

Using (Passw0rd1234#!) versus using (Password1234) should not be that big of a deal, use Google Chrome password manager and you will be fine, I have 700+ passwords in it.

https://support.google.com/chrome/answer/95606?hl=en

Jeff M
I think you should rephrase that from:

"A third party plugin got hacked and got limited access to some info for our sites and thousands of others."

To:

A third party plugin got hacked and exposed a security weakness we were unaware of."

Also, please don't tell me that my inconvenience is one I should be able to live with. Clearly I am going to live with it if I am going to continue using this site. However this inconvenience is among a list of items I will consider as I decide which MR2 site I will make my next post on.

My point still stands. Strong password enforcement would have made no difference in this recent hack and will make no difference in any future hack. The benefit of forcing good password hygiene on me does not balance the annoyance for a non-critical non-monetary site.

The only true benefit of strong password enforcement is for those very very few people who insist on both using weak passwords and also reusing those same weak passwords on financially important sites.

Clearly I have already wasted more of my time ranting about this than the actual strong password enforcement. It's just one of my hot buttons when someone does something just so they can be seen as doing something especially if it has no relation to the actual problem.
 

·
Registered
Joined
·
769 Posts
Or perhaps I should just blame the lawyers because I am sure that somewhere along the line they said, "Just to minimize liability, set all security options to maximum."
 

·
Administrator
Joined
·
71 Posts
I think you should rephrase that from:

"A third party plugin got hacked and got limited access to some info for our sites and thousands of others."

To:

A third party plugin got hacked and exposed a security weakness we were unaware of."

Also, please don't tell me that my inconvenience is one I should be able to live with. Clearly I am going to live with it if I am going to continue using this site. However this inconvenience is among a list of items I will consider as I decide which MR2 site I will make my next post on.

My point still stands. Strong password enforcement would have made no difference in this recent hack and will make no difference in any future hack. The benefit of forcing good password hygiene on me does not balance the annoyance for a non-critical non-monetary site.

The only true benefit of strong password enforcement is for those very very few people who insist on both using weak passwords and also reusing those same weak passwords on financially important sites.

Clearly I have already wasted more of my time ranting about this than the actual strong password enforcement. It's just one of my hot buttons when someone does something just so they can be seen as doing something especially if it has no relation to the actual problem.
Or perhaps I should just blame the lawyers because I am sure that somewhere along the line they said, "Just to minimize liability, set all security options to maximum."
Understood, not to dismiss your points but I did not just want to give you a canned corporate response.

I totally get it, however this is what the powers at be have laid out and I have marching orders.

Community health and members security is my main priority but feel free to send in a message to the contact us page.

MR2 Owners Club Message Board - Contact Us

Onward and upward - hope you stick around and enjoy the community.

Jeff M
 

·
Registered
Joined
·
4 Posts
Great way to piss members off and not bother coming back.
I see some are already having issues. Hello!
Would be my call. Can you hear the DEATH KNELL ringing???????
I have only been lurking and have not had much to say being from another country.
But doubt I will be back.
I have never come across such stupidity getting logged in to just a form.
I think others have made some very valid points that you need to consider if you want this forum to survive.
 

·
Administrator
Joined
·
71 Posts
Great way to piss members off and not bother coming back.
I see some are already having issues. Hello!
Would be my call. Can you hear the DEATH KNELL ringing???????
I have only been lurking and have not had much to say being from another country.
But doubt I will be back.
I have never come across such stupidity getting logged in to just a form.
I think others have made some very valid points that you need to consider if you want this forum to survive.
I will share feedback - also have any members with log in issues fill out this contact us section for a reset.

MR2 Owners Club Message Board - Contact Us

Jeff M
 

·
Registered
Joined
·
28 Posts
Hi Jeff,

I understand that you have increased password complexity (for security), but could you please provide a brief overview of what other changes are occurring in the management of the forum and in digital security going forward? (Excluding passwords being reset)

From my understanding, many of the articles state that a very minimal amount of passwords were actually encrypted. If this is the case and nothing is done, then we are setting up very long and complex passwords, and resetting them once a year, for absolutely no benefit.

Thanks,

-Eric
 

·
Premium Member
Joined
·
4,395 Posts
Pop-up Sign-In request from mr2 ownersclubDOTcom

I was already logged in here, and I just got a pop-up sign-in request from "mr2 ownersclubDOTcom"
I had already completed the (forced) password reset last week or so, I was immediately suspicious... I saw that it had the "oc" part written out.

I was able to re-create the popup by typing in the website above (no spaces). I never entered any password anywhere.

The site goes nowhere. Do not type passwords into that request popup. As if things aren't hard enough during this time, the actual password reset process is targeted too.
 

·
Administrator
Joined
·
71 Posts
Hi Jeff,

I understand that you have increased password complexity (for security), but could you please provide a brief overview of what other changes are occurring in the management of the forum and in digital security going forward? (Excluding passwords being reset)

From my understanding, many of the articles state that a very minimal amount of passwords were actually encrypted. If this is the case and nothing is done, then we are setting up very long and complex passwords, and resetting them once a year, for absolutely no benefit.

Thanks,

-Eric
Here is a posting about the issue:
VerticalScope.com


I was already logged in here, and I just got a pop-up sign-in request from "mr2 ownersclubDOTcom"
I had already completed the (forced) password reset last week or so, I was immediately suspicious... I saw that it had the "oc" part written out.

I was able to re-create the popup by typing in the website above (no spaces). I never entered any password anywhere.

The site goes nowhere. Do not type passwords into that request popup. As if things aren't hard enough during this time, the actual password reset process is targeted too.
I would ignore anything that is not going directly to this URL.

Jeff M
 
21 - 29 of 29 Posts
Top